Uniform Closures: Order-Theoretically Reconstructing Logic Program Semantics and Abstract Domain Refinements

Information and Computation 145, 153190 (1998) Article No. IC982724

Roberto Giacobazzi

Dipartimento di Informatica, UniversitaÁ di Pisa, Corso Italia 40, 56125 Pisa, Italy E-mail: giacoÄdi.unipi.it

and

Francesco Ranzato

Dipartimento di Matematica Pura ed Applicata, UniversitaÁ di Padova, Via Belzoni 7, 35131 Padova, Italy E-mail: franzÄmath.unipd.it

The notion of uniform closure operator is introduced, and it is shown how this concept surfaces in two different areas of application of abstract interpretation, notably in semantics design for logic programs and in the theory of abstract domain refinements. In logic programming, uniform closures permit generalization, from an order-theoretic perspective, of the standard hierarchy of declarative semantics. In particular, we show how to reconstruct the model-theoretic characterization of the well-known s-semantics using pure order-theoretic concepts only. As far as the systematic refinement operators on abstract domains are concerned, we show that uniform closures capture precisely the property of a refinement of being invertible, namely of admitting a related operator that simplifies as much as possible a given abstract domain of input for that refinement. Exploiting the same argument used to reconstruct the s-semantics of logic programming, we yield a precise relationship between refinements and their inverse operators: we demonstrate that they form an adjunction with respect to a conveniently modified complete order among abstract domains. ] 1998 Academic Press Key Words: uniform closure, abstract interpretation, logic program semantics, abstract domain refinement.

1. INTRODUCTION

Abstract interpretation [Cousot and Cousot 1977, 1979] is a well-establised theory for program analysis specification, which is gradually gaining ground also as a

153 0890-5401Â98 25.00 Copyright 1998 by Academic Press All rights of reproduction in any form reserved. 154 GIACOBAZZI AND RANZATO formal basis for the comparative study and the design of programming language semantics at different levels of abstraction [Cousot 1996, 1997a, 1997b; Cousot and Cousot 1992b, 1995; Giacobazzi 1996; Giacobazzi and Ranzato 1996]. Abstract interpretation theory provides the right mathematical tools to relate in a precise way semantic definitions and to systematically design new semantics, e.g., by approximation or refinement of existing ones. In POPL'92, Patrick and Radhia Cousot present the basis for this new range of applications, by studying the abstract interpretation of generic inductive definitions and by relating trace-based, relational, and denotational semantics. This work shows that some relevant constructions and results known in semantics of logic programming languages can be generalized from an order-theoretic perspective, and then applied in abstract interpretation theory, providing new and unexpected results in both areas. Our research starts by the attempt to reconstruct the standard hierarchy of declarative semantics for logic programs [Falaschi et al. 1989, 1993] in a purely order-theoretic fashion, i.e., independently from the properties peculiar to the objects manipulated by logic programs, namely atoms, clauses and substitutions. Surprisingly, this generalization, which relies on typical abstract interpretation tools like closure operators and Galois connections, while providing the possibility to extend some standard and well-known results in the field of logic programming semantics to other programming languages and semantics, also surfaces in other, completely different, applications of abstract interpretation theory, that is in the systematic design of abstract domains. In a sense, this is a good example where the traditional theories of programming language semantics and abstract interpretation may both benefit from a cross fertilization. Within the standard Cousot and Cousot [1977, 1979] framework, (upper) closure operators capture the ``essence'' of the process of abstraction; namely, they play the role of approximating operators. Given a concrete domain C, i.e., a complete lattice where the underlying ordering encodes the relation of approximation between objects (the top element represents no information, i.e., the meaning of the order is dual to the standard one used in classical domain theory), a closure operator \: C Ä C is monotone, idempotent and extensive (i.e., c\(c)). The intuition is quite simple. Monotonicity ensures that the abstraction monotonically approximates domain objects, idempotency means that the process of approximation is performed all at once, while extensivity captures precisely the intended meaning of approximation, i.e., an approximation \(c) ``contains'' less information than its source c. By this approach, the complete lattice uco(C) of all closure operators on C is identified with the so-called lattice of abstract interpretations of C [Cousot and Cousot 1977, 1979], i.e., the complete lattice of all possible abstract domains (modulo isomorphic representation of their objects) of the concrete domain Cwhere the bottom, i.e., the straightforward abstraction, is C itself. The order-theoretic reconstruction of the hierarchy of logic program semantics leads naturally to the concept of uniform closure, specialized by duality to meet- and join-uniformity, which is the main novel lattice-theoretic notion of the paper. A closure operator \ on a complete lattice C is meet-uniform when for any non- empty subset Y C, if all the elements of Y are mapped by \ to some c then also the infimum 7Y is mapped by \ to c. Let us give a simple example. Consider the UNIFORM CLOSURES 155 classical domain Sign depicted in Fig. 1, typically used for sign analysis of integer variables. The abstract domains A\0 and A\ both depicted in Fig. 1 are two proper abstractions of Sign (actually, A\ is in turn an abstraction of A\0). These domains correspond to the following closure operators \A\0 and \A\ defined over Sign:

Z if x=Z,0+,0& Z if x=Z,0,0+,0& \ \0(x)= \ \(x)= A {x otherwise; A {x otherwise.

It turns out that \A\0 is not meet-uniform, because [x # Sign | \A\0(x)=Z] does not contain its infimum 0, while it is immediate to check that \A\ is meet-uniform, since in this case [x # Sign | \A\(x)=Z] contains its infimum. Closure operators are, in general, neither additive nor co-additive (namely, they do not preserve sups or infs), and meet-uniformity is, in general, weaker than co-additivity. For instance, in the example above, although being meet-uniform,

\A\ is not co-additive: <=\A\(0+ 7 &){\A\(0+)7\A\(&)=&. We prove that given a meet-uniform closure \ on C, meet-uniformity provides a systematic way for lifting the complete order of C, yet maintaining a complete lattice structure, and achieving co-additivity for \ relatively to the lifted complete order. The definition of such lifted partial order is obtained by generalizing a construction by Falaschi et al. [1993], proposed to relate semantic interpretations for logic programs. Their definition is obtained by lifting the Hoare powerdomain preorder between nonground interpretations (i.e., sets of atoms), based on the relation of instantiation between atoms, so that it becomes a partial order (actually, a complete order). The relevant point of this construction is that it allows one to keep track both of the degree of instantiation and of set inclusion between interpretations. The generalization of that idea is quite simple. Given a complete lattice C and any operator \: C Ä C, for all x, y # C, x is smaller than y in the lifted order for \, whenever \(x) is smaller than \( y) in the original order of C. This would lead in general to a preorder relation, unless \ is injective. Thus, when two elements are mapped by \ to the same value, the original partial order is considered: whenever \(x)=\( y), if x is smaller than y in the original order of C, then x is smaller than y in the lifted order as well. The link with the notion of meet-uniformity is given by the relevant consequences of this definition when \ is a meet-uniform closure operator. The approach of Falaschi et al. [1993] can be then reformulated by means of the closure under instantiation over interpretations, which actually results to be meet-uniform. In the simple example above, the lifted order for Sign with respect to the meet-uniform closure \A\ gives rise to the lattice depicted in Fig. 2,

FIG. 1. The domain Sign and two its abstractions A\0 and A\. 156 GIACOBAZZI AND RANZATO

FIG. 2. Sign equipped with the lifted order for \A\ . where, e.g., + becomes smaller than &0. Moreover, it is easily seen that for this lifted order, the closure \A\ actually becomes co-additive. Let us now illustrate in more detail how the general theory of uniform closure operators will be applied in the fields of logic program semantics and abstract domain design.

Order-theoretic reconstruction of the s-semantics of logic programs. The declarative s-semantics has been proposed by Falaschi et al. [1989] (for a survey see [Bossi et al. 1994]) as a semantics modeling more adequately than the canonical least Herbrand model semantics [van Emden and Kowalski 1976] the operational behavior of a logic program as defined by SLD-resolution. In particular, stronger soundness and completeness results hold for the s-semantics, and this allows one to characterize precisely the key observable operational property of computed answer substitutions. Due to these features, the s-semantics has been widely and successfully applied in the area of semantics-based program transformation and analysis (see, e.g., [Bossi and Cocco 1993; Barbuti et al. 1993; Codish e tal. 1994]). One of the key points of this approach is that the denotations (or interpretations) for a logic program are equivalence classes (w.r.t. renaming of variables) of sets of possibly nonground atoms. However, the original model-theoretic view of s-semantics was unsatisfactory, being based on ad hoc notions of s-truth and s-model [Falaschi et al. 1989, Section 4]. These problems have been solved by Falaschi et al. [1993], where a nonground interpretation is defined to be a model whenever the corresponding Herbrand interpretation, given by the closure under ground instances, is a model in the standard sense. However, as observed by Falaschi et al. [1993], the model intersection property, which allows one to associate with each logic program a canonical model, does not hold in general for these latter models. This is basically due to the fact that plain set inclusion does not adequately reflect this intended meaning of nonground interpretations as models, and instantiation between atoms should be also taken into account. We show that the construction proposed by Falaschi et al. [1993] to overcome these problems can be made fully independent from any notion peculiar to logic programming. Actually, we prove that many results given by Falaschi et al. [1993] can be obtained as an instance of a general framework which completely reconstructs their approach using pure order-theoretic concepts only. There are three key observations that led to our construction: (i) the semantics involved in [Falaschi et al. 1993] are related each other by abstract interpretation; (ii) the semantics of computed answers is related to that of correct answers by a UNIFORM CLOSURES 157 meet-uniform closure, which is an instance of a generic downward closure later discussed in Sections 3 and 4; (iii) the lifted order induced by the downward closure generalizes exactly the new ordering relation introduced by Falaschi et al. [1993]. Thus, in our order-theoretic approach, the downward closure becomes co-additive with respect to the lifted order, and, as a consequence, this ensures the existence of the least canonical model. Being independent on specific semantic objects, our results are applicable to other semantics for logic programming in the style of s-semantics, and, more in general, to programming language semantics specified as inductive definitions. For instance, as far as logic programming is concerned, it should not be too hard to generalize many results of the model-theoretic compositional semantics of Bossi et al. [1994, Section 5], following the lines of our approach. It is worth remarking that logic programming is probably the programming paradigm where abstract interpretation ideas have been mostly successful in the study of semantics, as the growing literature on this topic shows (e.g., see [Amato and Levi 1997; Comini and Levi 1994]; Commi et al. 1995; Fages and Gori 1996; Giacobazzi 1996; Giacobazzi and Ranzato 1995, 1996]), and therefore our results fit well along this trend.

Order-theoretic foundations of abstract domain refinements. The idea of domain refinement is recurrent in abstract interpretation. Relevant examples include the disjunctive completion [Cousot and Cousot 1979, 1994; File and Ranzato 1998; Giacobazzi and Ranzato 1998; Jensen 1997] and the reduced product [Cousot and Cousot 1979], to cite the most known ones. The basic idea is that more expressive abstract domains can be obtained by combining simpler ones or by lifting them by systematically adding new information. A systematic treatment of abstract domain refinements has been given in [File et al. 1996; Giacobazzi and Ranzato 1997], where a generic refinement is defined to be a lower closure operatorthat is, extensivity is replaced by the dual reductivityon the lattice of abstract interpretations of a given concrete domain. The intuition is still the most natural. Monotonicity of the refinement preserves the relative precision between abstract domains, idempotency ensures that the refinement is performed all at once, and reductivity captures the action of refinement. These kind of operators on abstract domains provide high-level facilities to tune a program analysis in accuracy and cost, and have been included as tools for design aid in modern systems for program analysis, for instance in System Z [Yi and Harrison 1993], in PLAI [Codish et al. 1995], and in GAIA [Cortesi et al. 1994]. Recently, much attention has been devoted to ``invert'' abstract domain refinements. For a given refinement R # lco(uco(C)), this corresponds to define an operator which simplifies an abstract domain A of input for R, by returning the domain (if any) which contains the least amount of information required by R to get the same expressiveness obtainable from A. Thus, the inverse operator of R exists on a class K uco(C) of abstract domains when, for any A # K, there exists the least (w.r.t. the ordering of uco(C)) common abstraction of all the domains D such that R(D)=R(A). Intuitively, this somehow resembles what the operation of compression does on files. The problem of inverting in the above sense a refinement 158 GIACOBAZZI AND RANZATO can be quite hard to solve in a satisfactory way. Moreover, File et al. [1996] observed that not all refinements can be inverted on a significant class of abstract domains. The problem of inverting the reduced product and disjunctive completion has been solved, introducing, respectively, the notions of complementation [Cortesi et al. 1995] and least disjunctive basis [Giacobazzi and Ranzato 1998]. We observe here that the the problem of inverting an abstract domain refinement is closely bound to the concept of uniformity. In fact, since the least common abstraction on the lattice of abstract interpretations coincides with the least upper bound operation, it turns out that a refinement R is invertible if and only if R is join-uniform. Using a straightforward extension of the notion of uniformity, it can be stated more precisely that R is invertible on a class K of abstract domains if and only if R is join-uniform on K. The situation is therefore dual to that above for logic program semantics, i.e., join-uniformity replaces meet-uniformity, and hence it is possible to lift the complete order between abstract domains with respect to an invertible refinement. We argue that this novel order reflects more adequately than the standard one the relation of precision between abstract domains relatively to a given invertible refinement. Moreover, we demonstrate that an invertible refinement and its inverse operator give rise to an adjunction with respect to the lifted order, and this justifies once more the use of the term ``inversion'' in this context. Structure of the paper. In Section 2, we recall the basic notations and notions of lattice theory and logic programming used in the paper, and we present a succinct overview of abstract domain theory. In Section 3, motivated from the approach in [Falaschi et al. 1993], we introduce the main notion of uniformity, and in Section 4, we study the meet-uniformity for closure operators on complete lattices. In Section 5, we define the lifting of a complete order via a meet-uniform closure operator, and we prove that this process preserves the complete lattice structure and allows the meet-uniform closure to become co-additivity. Using the previous results, in Section 3 we define our order-theoretic generalized semantics, which generalizes the results in [Falaschi et al. 1993]. In particular, the order-theoretic generalizations of the notions of model and least model of a logic program are presented, respectively, in Sections 6.1 and 6.2. Section 7 presents the application to the theory of abstract domain refinements. Section 8 concludes, also by sketching some further research directions.

2. PRELIMINRAIES

In this section, we briefly introduce the notation used throughout the paper and summarize some definitions and well-known properties concerning closure operators (for more details see [Birkhoff 1967; Morgado 1960; Ward 1942]), abstract interpretation (see [Cousot and Cousot 1977, 1979]), and logic programming (e.g., see [Apt 1990]).

2.1. Basic Notation Let C and D be sets. The powerset of C is denoted by ^(C), and its cardinality by |C|. The set-difference between C and D is denoted by C"D.Iff is a function UNIFORM CLOSURES 159 defined on C and D C then f(D)=[f(x)|x # D]. Functions will be sometimes denoted by Church's lambda notation. By g b f we denote the composition of the functions f and g, i.e., g b f =*x.g( f(x)). The set C equipped with a partial order

is denoted by (C,) or simply by C .IfC is a poset, we usually denote by

C the corresponding partial order. A complete lattice C with partial order , least upper bound (lub) , greatest lower bound (glb) Ã, top element =Ã <= C, and bottom element == <=Ã C, is denoted by (C,, 6 , 7 , , =).

When C is a lattice, C , ÃC , C and =C denote the corresponding basic operators and elements. Often, we will slightly abuse notation by denoting lattices with their poset notation. We use C$D to denote that the ordered structures C and D are isomorphic. A function f: C Ä D between complete lattices is additive if for any

Y C, f(C Y )=D f(Y ). Co-additivity is dually defined.

2.2. Closure Operators

An (upper) closure operator (or simply closure) on a poset C is an operator \: C Ä C monotone, idempotent and extensive (i.e., \x # C.x\(x)). We denote by uco(C) the set of all closure operators on the poset C.IfC is a complete lattice then each closure operator \ # uco(C) is uniquely determined by the set of its fixpoints, which is its image \(C). A subset Y C is the set of fixpoints of a closure operator iff Y is a Moore-family of C, i.e., Y=[Ã X | X Y] (where =Ã < # Y ). In this case, \Y=*x.Ã [y# Y | x y] is the corresponding closure on C. The set \(C)of fixpoints of \ # uco(C) is a complete lattice (with respect to the order of C), and more precisely is a complete meet subsemilattice of C (namely, the glb's in C and \(C) coincide). However, in general, \(C) is not a complete sublattice of C, since the lub in \(C) might be different from that in C: in fact, \(C) is a complete sublattice of C iff \ is additive. In view of the above equivalence, often we will find it particularly convenient to identify closure operators with their sets of fixpoints, using as notation capital Latin letters; instead, when viewing closures as functions, we will use Greek letters to denote them. In the following, we will keep this soft ambiguity by using both notations and leave to the reader to distinguish their use as functions or sets, according to the context. We denote by (uco(C), =C, ? , @ , *x., *x.x) the complete lattice of all closure operators on the complete lattice C, where for every \, ' # uco(C), [\i]i # I uco(C) and x # L:

\=C' iff \x # C.\(x)'(x), or equivalently, \=C' iff '(C) \(L);

(i # I \i)(x)=x \i # I.\i (x)=x;

(i # I \i)(x)=Ãi # I \i (x); *x. is the top element in uco(C), whereas *x.x is the bottom element.

By ucoa(C) and ucoca(C), we denote, respectively, the subsets of uco(C) consist- ing of all additive and co-additive closures on C. For a closure operator \ # uco(C) and Y C, the following two properties hold:

(i) \(Ã \(Y ))=Ã \(Y ); (ii) \( Y )=\( \(Y )). 160 GIACOBAZZI AND RANZATO

It is known that the complete lattice uco(C)isdual-atomic, namely each closure different from the top *x. is the glb of the set of dual-atoms following it (where a dual-atom is an element covered by the top). Lower closure operators are dually defined; that is, extensivity is replaced by reductivity: \x # C.\(x)x. The set of all lower closure operators on C is denoted by lco(C). All the properties of lower closure operators can be derived by duality from those above for upper closures (in particular, uco(C) and lco(C) are dually isomorphic). Often, upper and lower closures will be called simply closures, and we will leave to the reader to distinguish them according to the context.

2.3. Galois Connections and Abstract Domains

If C and A are posets and :: C Ä A, #: A Ä C are monotone functions such that

\c # C.cC #(:(c)) and \a # A.:(#(a))A a, then the quadruple (:, C, A, #)isa Galois connection (G.c. for short) between C and A. If in addition \a # A.:(#(a))=a, then (:, C, A, #)isaGalois insertion (G.i. for short) of A in C. In a G.i. (:, C, A, #), : is onto and # is 11. We also recall that the above definition of Galois connection is equivalent to that of adjunction: if :: C Ä A and #: A Ä C then (:, C, A, #) is a G.c. iff \c # C.\a # A.:(c)A a cC #(a). The map : (#)is called the left-adjoint (right-adjoint)to# (:). This terminology is justified by the well-known fact that one mapping uniquely determines the other. In particular, when C and A are complete lattices, if : is additive, or # is co-additive, then it determines a Galois connection, where:

(i) \a # A.#(a)=C [c # C | :(c)A a];

(ii) \c # C.:(c)=ÃA [a # A | cC #(a)].

For a function f, we denote by f r ( f l) the corresponding right-adjoint (left-adjoint) function, whenever it exists. Within the standard Cousot and Cousot [1977, 1979] abstract interpretation framework, a nonstandard program semantics is obtained from the standard one by substituting its domain of computation, called concrete (and the basic operations on it), with an abstract domain (and corresponding abstract operations). The concrete and abstract domains are complete lattices, where the ordering relations describe the relative precision of the denotationsthe top elements representing no information. The concrete domain C and the abstract domain A are related by a Galois connection (:, C, A, #), where : and # are called the abstraction and concretization maps, respectively. Also, A is called an abstraction of C. The intuition is that the concretization map gives the concrete value corresponding to an abstract denotation (i.e., its semantics), whereas for a concrete value the abstraction map gives its best (with respect to the ordering of A) abstract approximation. Thus, an abstract value a # A approximates a concrete value c # C if cC #(a), or equivalently (by adjunction), if :(c)A a.If(:, C, A, #) is a G.i., each value of the abstract domain is useful in the representation of the concrete domain, because all the elements of A represent distinct members of C, being # 11. It is known that any G.c. may be lifted to a G.i. identifying in an equivalence class those values of the UNIFORM CLOSURES 161 abstract domain with the same concrete meaning. This process is known as reduction of the abstract domain. It has been well-known since [Cousot and Cousot 1979] that abstract domains can be equivalently specified either as Galois insertions or as (sets of fixpoints of) upper closures on the concrete domain. These two approaches are completely equivalent: if \ # uco(C) and A$\(C) (with @: \(C) Ä A and @&1 : A Ä \(C) being the isomorphism) then (@ b \, C, A, @&1) is a G.i.; if (:, C, A, #) is a G.i. then \A=# b : # uco(C) is the closure associated with A such that \A(C)$A. Actually, an abstract domain A specified by a G.i. (:, C, A, #) is just a ``computer representation'' of its logical meaning, namely its image in the concrete domain C, and therefore the essence of A lies with the corresponding closure operator \A .By the above equivalence, it is not restrictive, and often more convenient, to use the closure operator approach to reason about abstract domain properties independently from the representation of the objects. Thus, whenever we will introduce closure operators on some complete lattice C, we will be actually doing a step of abstract interpretation on C. Consequently, we will identify uco(C) with the so-called lattice of abstract interpretations of C (cf. [Cousot and Cousot 1977, Section 7] and [Cousot and Cousot 1979, Section 8]), i.e., the complete lattice of all possible abstract domains (modulo isomorphic representation of their objects) of the concrete domain C. The ordering on uco(C) corresponds precisely to the standard order used to compare abstract domains with regard to their precision:

A1 is more precise than A2 (or A2 is an abstraction of A1) iff A1=CA2 in uco(C). The lub and glb on uco(C) have therefore the following meaning as operators on domains. Let [Ai]i # I uco(C): (i) i # I Ai is the most concrete among the domains which are abstractions of all the Ai 's, i.e., i # I Ai is the least common abstraction of all the Ai 's; (ii) i # I Ai is (isomorphic to) the well-known reduced product

(basically cartesian product plus reduction) of all the Ai 's, or, equivalently, it is the most abstract among the domains (abstracting C) which are more concrete than every Ai .

2.4. Logic Programming Notation

Throughout the paper, Atom will denote the set of atoms built over a given first- order language L (where Var denotes the set of variables). A syntactic object is termed ground if it does not contain occurrences of variables. The set of all substitutions (built on L) is denoted by Sub. The application of a substitution _ to a syntactic object s is denoted by s_. A variable renaming is a substitution which is a bijection on Var. A syntactic object t$ is more instantiated than t, denoted t$Pt, iff there exists _ # Sub such that t$=t_. The relation P is a pre-order on

Atom. Syntactic objects t1 and t2 are equivalent up to renaming, denoted t1tt2 , iff t1 Pt2 and t2 Pt1 . For the sake of simplicity, we will let a syntactic object denote its equivalence class by renaming. The quotient AtomÂt becomes partially ordered with respect to P. With abuse of notation, it is still denoted by Atom, and it is also called the nonground Herbrand base. The subset of Atom given by ground atoms is denoted by Atom< , and called the (ground or standard) Herbrand base. 162 GIACOBAZZI AND RANZATO

3.DOMAINS OF INTERPRETATIONS AND MEET-UNIFORMITY

In this section, we introduce the concept of (meet-)uniform function defined on complete lattices, which provides the key notion both for order-theoretically reconstructing the model-theoretic semantics of logic programs and for studying abstract domain refinements.

Motivations from logic programming. We recall some of the notions involved in the construction proposed by Falaschi et al. [1993]. This is obtained by presenting the different logic program semantics as related by abstract interpretation, similarly to the approaches of Comini and Levi [1994] and Giacobazzi [1996]. In the following, let us assume that a fixed first-order language L is given; all the subsequent notions are then given with respect to L. In [Falaschi et al. 1993], an interpretation is defined to be any subset of the nonground Herbrand base Atom. Hence, the domain of interpretations is fixed as the powerset (^(Atom), ) of the nonground Herbrand base, ordered by subset inclusion. Some operators on interpretations are defined as follows. Suppose that I # ^(Atom).

(i) Closure by instantiation: WI X=[A # Atom | _B # I.APB]; (ii) Ground elements: wIx=[A # I | A is ground];

(iii) Ground instances: gr(I)=wWI XxI=WI X & Atom< .

Using these operators, we now build a hierarchy of the various domains of interpretations introduced by Falaschi et al. [1993]. The operator W}X defines the subset â(Atom)of^(Atom) given by the interpretations closed by instantiation: â(Atom)=[I # ^(Atom)|I=WI X]. Moreover, the set of ground Herbrand inter- a pretations ^(Atom<) can be in turn defined as the subset of ^ (Atom) which is a image of the operator gr (or w } x): ^(Atom<)=[I # ^ (Atom)|I= gr(I)(=wIx)]. It is immediate to check that W } X: ^(Atom) Ä ^(Atom) is an additive closure operator. Hence, its set of fixpoints, equipped with the subset ordering, is a complete sublattice of ^(Atom), namely (â(Atom), ) is a complete lattice, where lub and glb are, respectively, union and intersection. According to the abstract interpretation viewpoint, this means that the domain of interpretations closed by instantiation actually is an abstraction of the basic domain of (nonground) interpretations. This observation makes explicit in the framework of abstract interpretation the intuition that, by considering as domain of interpretations â(Atom) instead of ^(Atom), we are actually disregarding some of the information that ^(Atom) is able to represent. On the other hand, it is also clear that gr: â(Atom) Ä â(Atom) is additive and co-additive. Therefore, its image (^(Atom<), ), equipped with the subset ordering, is a complete sublattice of (â(Atom), ), and hence lub and glb are union and intersection, respectively. It is worth noting that since gr is additive, it is a r the left-adjoint of the Galois insertion (gr, ^ (Atom), ^(Atom<), gr ), where the UNIFORM CLOSURES 163

r a r a right-adjoint gr : ^(Atom<) Ä ^ (Atom) is defined as gr (I)= [J # ^ (Atom)| gr(J) I]. Hence, this Galois insertion induces the closure operator cgr= grr b gr # uco(^a(Atom)), and its image (cgr(^a(Atom)), ) is a complete lattice isomorphic to (^(Atom<), ). Moreover, since right-adjoints are always co-additive and the composition of co-additive functions is co-additive, the co-additivity of gr induces the co-additivity of the corresponding closure cgr. Here again, these a remarks say that ^(Atom<) is in turn an abstraction of ^ (Atom). Thus, from the perspective of abstract interpretation, we deal with a hierarchy of abstract domains, as depicted by Fig. 3. Order-theoretic generalization. From the order-theoretic point of view, we assume that the basic domain of interpretations is merely any complete lattice (C,). To generalize the syntactic operators defined above from an order- theoretic perspective, it is necessary to assume that the domain of interpretations is a powerset of a poset, ordered by subset inclusion, namely (C,)=(^(Q), ), where (Q,Q) is any posetnevertheless, it should be remarked that this hypothesis will not be necessary for our generalized order-theoretic construction, as we will see later. The generalization is then immediate, since it involves standard and well-known operators used in basic lattice theory. Let G Q be fixed (G stands for the ground Herbrand base), and let I # ^(Q).

(i) WI X= a I=[x # Q | _y # I.xQ y]; (ii) wIx=I & G; (iii) gr(I)=wWI XxI=(aI) & G. It is immediate to note that a # uco(^(Q)), and, furthermore, it is additive. This closure operator is generally known as the downward closure. Moreover, it is worthwhile to observe that a is not co-additive: in fact, for the lattice L depicted below, we have that a([a]& [b])=a<=<, while a[a]& a[b]=[=].

v a vvb v =

As far as w } x: ^(Q) Ä ^(Q) is concerned, it is immediate to note that w } x is both additive and co-additive.

FIG. 3. The hierarchy of domains of interpretations. 164 GIACOBAZZI AND RANZATO

We propose a generalization of the hierarchy of domains of interpretations recalled above which only takes into consideration some of the order-theoretic properties of the functions involved in that construction. To mimic the closure by instantiation relating ^(Atom) and ^a(Atom), we assume that a closure operator \ # uco(C) is defined on the generalized domain (i.e., any complete lattice) (C,). Thus, the closure \ formalizes a step of abstraction on the domain C. In contrast with W } X and its immediate generalization a above, we do not require the additivity of \. Instead, we focus on a peculiar and somehow hidden order-theoretic property of the downward closure a # uco(^(P)), which we call meet-uniformity. To the best of our knowledge, this property of functions has not been previously considered in the literature.1 Let C be a complete lattice and S be any set.

Definition 3.1. A function f: C Ä S is meet-uniform if for all x # C and Y C, such that Y{<,

(\y # Y. f( y)= f(x))O f Ä Y = f(x) \ C +

In other terms, if S is thought of as a lattice, then a mapping f from C to S enjoys the property of meet-uniformity if it is co-additive for any family of elements for which f is constant. Note that the above condition is vacuously satisfied for Y singleton, and therefore, in the following proofs of meet-uniformity, we will assume |Y |>1. Further, notice that if f is 11 then it is trivially meet-uniform. It is also worth noting that in the above definition the complete lattice C can be easily generalized to any algebra equipped with a finitary or infinitary operation which replaces the role played by the glb of C. However, this generality does not con- tribute significantly to our aims. As far as closures are concerned, we denote by uco*(C)=[\# uco(C)|\ is meet-uniform] the set of all meet-uniform closure operators on the complete lattice C. As announced above, although not being co-additive, the downward closure is meet-uniform, whenever the poset Q satisfies the ascending chain condition (ACC for short, i.e., it does not contain infinite strictly increasing chains).

Theorem 3.2. If Q satisfies the ACC then a is meet-uniform.

To demonstrate this result, we need some notation and a preliminary lemma. The operator max: ^(Q) Ä ^(Q), giving the maximal elements of any subset S of Q,is defined as max(S)=[x # S | \y # S.xQ y O x= y].

1 The only account we found on a similar property for closure operators is in [Adaricheva and Gorbunov 1990]. The authors introduced in Definition 1.1 the notion of equational closure on a complete lattice L, as a strict meet-uniform upper closure operator \ on L, where, in addition, closed elements distribute in L and \(L) is join-generated by the dual-compact elements of L. The lattice- theoretic structure of equational closures is studied by Adaricheva and Gorbunov [1990] in Section 5. However, because meet-uniformity is in general weaker than equationality, their results are not applicable to study the properties of generic meet-uniform closure operators on complete lattices. UNIFORM CLOSURES 165

Lemma 3.3. Let Q be a poset. (i) For any S # ^(Q), max(S)=max( a S). (ii) If Q satisfies the ACC then, for all S Q, aS=amax(S). (iii) If Q satisfies the ACC then, for all S, T Q, aS=aT max(S)= max(T ).

Proof. (i) ( ) Let x # max(S) and consider any y # aS such that xQ y.

Hence, there exists z # S such that yQ z. Thus, xQ z, from which x=z. Therefore, x= y, and x # max(aS). ($) Let x # max(aS). If x # S then x # max(aS), since S aS. Otherwise, x # aS"S. Thus, there exists y # S such that x

( ) Let x # aS. Then, there exists y0 # S such that xQ y0 .Ify0 # max(S) then x # amax(S). Otherwise, there exists y1 # S such that y0Q y1 and y0{ y1 , i.e., y0

Proof of Theorem 3.2. Consider any family [Si]i # I ^(A) (where |I|>1) and

T # ^(A) such that \i # I. a Si=aT. Let us prove that a (i # I Si)=aT. ( ) By monotonicity of a. ($) Let x # aT. By Lemma 3.3 (ii), aT=amax(T ), and, therefore, there exists y # max(T ) such that xQ y. By Lemma 3.3 (iii), for all i # I, max(Si)= max(T ), and hence, max(T ) Si . Thus, max(T ) i # I Si , and y # i # I Si , i.e., x # a(i # I Si). K It is worth remarking that when Q does not satisfy the ACC, Theorem 3.2 in general does not hold, as the following example shows. Example 3.4. Consider the poset N of natural numbers, equipped with the standard ordering, which does not satisfy the ACC, and the subsets O and E of, respectively, odd and even numbers. Then, aO=aE=N, whilst a(O & E)= a<=<, i.e., a is not meet-uniform. Since Atom, equipped with the partial order of instantiation P, is evidently a poset satisfying the ascending chain condition, as a consequence of Theorem 3.2, we get that the closure by instantiation W } X: ^(Atom) Ä ^(Atom) is meet-uniform. We will see later that meet-uniformity is the key order-theoretic property that allows us to generalize the results in [Falaschi et al. 1993]. Then, in our generalized hierarchy, we assume that the first step of abstraction is given by a meet-uniform closure operator \ # uco*(C). The next step consists in generalizing the grounding operator defined on â(Atom). As observed above, gr and w } x coincide on â(Atom), and gr: â(Atom) Ä â(Atom) is both additive and co-additive. Our 166 GIACOBAZZI AND RANZATO

FIG. 4. The generalized order-theoretic hierarchy of domains. generalization simply considers any co-additive map defined on the image (\(C), ), namely any g: \(C) Ä \(C) which is co-additive. Clearly, being co-additive, g is also monotone. Hence, in this case the key order-theoretic property of the grounding operator relating the domain of interpretations closed by instantiation and the domain of ground interpretations is its co-additivity. As we noted above, this actually is an abstract interpretation step. However, for our purposes, we only need to consider a co-additive map. Also, notice that the image (g(\(C)), ) of the co-additive function g, is a complete lattice w.r.t. the induced order , where the glb coincides with that of \(C) (which in turn coincides with that in C), i.e., (g(\(C)), ) is a Moore-family of both (C,) and (\(C), ). Our order- theoretic generalized hierarchy is summarized by Fig. 4.

4. MEET-UNIFORM CLOSURE OPERATORS

In this section, we mainly concentrate on studying the properties of meet-uniform closure operators on complete lattices. In the following, let us assume that (C,) is any complete lattice. As we noted above, each injective function is meet-uniform. As far as closures are concerned, obviously, the only injective closure is the identity. Thus, injectivity is not relevant to characterize meet-uniformity of closure operators. Moreover, the following remark shows that, for any closure operator, the dual property of join-uniformity is always satisfied. Remark 4.1. Each \ # uco(C) is join-uniform. Proof. Let Y C and x # C, with |Y|>1, such that for any y # Y, \( y)=\(x). Then, by point (ii) in Section 2.2 and by idempotency, \( Y )=\( \(Y ))= \(\(x))=\(x). K Clearly, the bottom element of uco(C), i.e., the identity operator, belongs to uco*(C). Furthermore, the following result holds. Theorem 4.2. uco*(C) is a Moore-family of uco(C).

Proof. Clearly, *x. # uco*(C). Then, let us consider [\i]i # I uco*(C), with

|I|>1. We show that i # I \i # uco*(C). Consider any Y C and x # C such that for all y # Y,(i # I \i)( y)=(i # I \i)(x). If we prove that for any i # I, \i (Ã Y )=

\i (x), the thesis follows, since (i # I \i)(Ã Y )=Ãi # I \i (Ã Y )=Ãi # I \i (x)=

(i # I \i)(x). Thus, consider any j # I and y # Y. Then, y(i # I \i)(y)=

(i # I \i)(x)=Ãi # I \i (x), and, analogously, xÃi # I \i ( y). Hence, y\j (x) and UNIFORM CLOSURES 167

x\j ( y), from which \j ( y)=\j (x) easily follows. Therefore, for all i # I,

\i (Ã Y )=\i (x). K As a consequence, uco*(C) is a complete lattice with respect to the order inherited from uco(C). The next example shows that, in general, uco*(C) is not a complete sublattice of uco(C).

Example 4.3. Consider the finite lattice L depicted in Section 3 (the four-point ``rhombus'' lattice). The closure operators on L are as follows:

\1=[], \2=[, a], \3=[, =], \4=[, b],

\5=[, a, =], \6=[, b, =], \7=[, a, b, =], and therefore uco(L) is the lattice depicted in Fig. 5. It is then simple to verify that uco*(C) is the lattice depicted in Fig. 5. In fact, the only closure which is not meet- uniform is \3 : \3(a)=\3(b)=, whilst \3(a 7b)=\3(=)==. Also, observe that uco*(L) is not a sublattice of uco(L).

The example above allows one to draw the following two additional consequences.

(i) The property of dual-atomicity of uco(C) does not hold anymore for the complete lattice uco*(C). (ii) The composition of two meet-uniform closure operators, whenever this is a closure, in general, is not meet-uniform. In fact, for the meet-uniform closures \5 and \6 above, one has that \5 b \6=\6 b \5=\3 is not meet-uniform.

Let S be a set, f: C Ä S, and consider the corresponding equivalence relation rf on C induced by f: xrf y f(x)=f( y). The following definition assigns a canonical representative to each equivalence class defined by rf . Definition 4.4. For any x # C, define { (x)=Ã [x] (=Ã [y# C | f( y)=f(x)]). f rf If f is meet-uniform then it is immediate to observe that this is a good definition, i.e., for any x # C, {f (x)rf x. Further, it is worth noticing that if f =\ # uco(C) then {\(x)={\(\(x)). We will use these remarks in the following proofs. The following observation provides an alternative characterization of meet-uniformity.

Let (A,A) be any poset.

Proposition 4.5. Let f: C Ä A be monotone. f is meet-uniform iff for any x # C,

{f (x)rf x.

FIG. 5. The lattices uco(L), on the left, and uco*(L), on the right. 168 GIACOBAZZI AND RANZATO

Proof.(O) Obvious. (o) Consider any Y C (with |Y |>1) and x # C such that f( y)= f(x), for all y # Y. Obviously, f(ÃC Y )A f(x). On the other hand, by hypothesis,

{f (x)rf x, and therefore f(x)= f({f (x))A f(ÃC Y ). Thus, f(ÃC Y )= f(x). K This observation allows us to give the following slight generalization of the notion of meet-uniformity. Let f: C Ä A be monotone and K C. Then, we define f to be meet-uniform on K (or K-meet-uniform) when for any x # K, {f (x)rf x. Thus, by Proposition 4.5, f is meet-uniform iff f is meet-uniform on C. In particular, given a complete lattice, we denote by uco*K(C) the set of all closures on C which are meet- uniform on K. It is simple to verify that the above Theorem 4.2 admits a straightforward generalization for this notion of K-meet-uniformity, and therefore uco*K(C) is a Moore-family of uco(C). We will see the usefulness of this more general concept of meet-uniformity later in Section 7. For the downward closure of Section 3, a simple characterization of the canonical representative of Definition 4.4 can be given as follows.

Remark 4.6. If Q satisfies the ACC then, for each I # ^(Q), {a(I)=max(I).

Proof. By Lemma 3.3 (iii), {a(I)= [J # ^(Q)|aJ = aI]= [J # ^(Q)| max(J)=max(I)]. Moreover, since max(max(I))=max(I), { a (I) max(I). On the other hand, if max(J)=max(I), then max(I) J, and therefore {a(I)= max(I). K We close this section by observing that meet-uniformity can be induced on closure operators by means of Galois connections. By a slight abuse of terminology, a G.c. (:, C, A, #) is defined to be meet-uniform if the map : is meet-uniform. The next result shows that meet-uniform G.c.'s induce meet-uniform closures. Proposition 4.7. A G.c. (:, C, A, #) is meet-uniform iff # b : # uco*(C). Proof. We only prove the ``only if'' part, since the other direction is similar. Consider any Y C and x # C such that \y # Y.#(:( y))=#(:(x)). Then, for all y # Y, :(#(:( y)))=:(#(:(x))), and, since : b # b :=:, we get :( y)=:(x). Hence,

:(ÃC Y )=:(x), from which, #(:(ÃC Y ))=#(:(x)). K

5. LIFTING COMPLETE ORDERS VIA MEET-UNIFORM CLOSURES

The following key definition is obtained as an obvious generalization of the partial order introduced by [Falaschi et al. 1993] (see Section 6.2 below). Let

(C,C) and (A,A) be posets, and consider any function f: C Ä A.

f Definition 5.1. The lifting via f of the ordering C is the relation C on C defined as follows:

f xC y iff f(x)A f( y) 6 ( f( y)A f(x) O xC y).

In the following, we study the consequences of this notion. First, it is straightforward to note that the above definition actually is correct. UNIFORM CLOSURES 169

f Lemma 5.2. C is a partial order on C.

f Let us assume that the function f is monotone. Then, observe that C C , i.e., f for all x, y # C, xC y O xC y. Also, if C is bounded, with top and bottom elements (w.r.t. C) and =, then C is bounded for the lifted order too, where f and = are still the top and the bottom w.r.t. C . In the following, we will focus on closure operators, because, in our generalized hierarchy of semantics, f will play the role of an abstraction map, which is therefore uniquely determined by a closure operator. For the next result, let us assume that (C,) is a mere poset.

Proposition 5.3. If \, ' # uco(C) and ' =C \, then ' # uco(C\). Proof. Idempotency of ' is clearly preserved. \-extensivity of ' easily follows from the fact that \. We prove monotonicity: x\ y O '(x)\ '( y). First, since '=C\, we have that \ b '=' b \=\. Thus, from the hypothesis \(x)\( y), we get '(\(x))=\('(x))\('( y))='(\( y)). On the other hand, assume now that \('( y))\('(x)). Hence, we have that \( y)\(x), which, by hypothesis, implies x y. Then, by -monotonicity of ', we get '(x)'( y), which concludes the proof. K

As an immediate consequence of the above result, we get that if \ # uco(C) then

\ # uco(C\). Let us now give a simple example of lifting a partial order via a closure operator. Example 5.4. Consider the lattice (L,) of Example 4.3, and the closures

\2=[, a] and \3=[, =] defined on L. It is easy to verify that lifting via \3 \3 changes nothing in the structure of L, i.e., = . Instead, lifting via \2 gives the chain [=<\2 a<\2 b<\2 ]. From now on, let (C,,6, 7, , =) be a complete lattice. A key property of lifting a complete order via a meet-uniform closure operator is that this step preserves the complete lattice structure.

\ Theorem 5.5. If (C,) is a complete lattice and \ # uco*(C) then (C, ) is a complete lattice. The proof of this theorem consists in giving explicit characterizations of lub's and glb's for the lifted order. Given a meet-uniform closure \ # uco*(C), recall from

Definition 4.4 that for each x # C, {\(x)=Ã [y# C | \( y)=\(x)]. Then, for any subset Y C, let us give the following definitions:

. Y= y # Y { Y y { Y ; \{ } \ \ + = _ { \ \ +=+ Ä [y# Y | \(y)=\(x)] if _x # Y. Ä \(Y)=\(x); Ä Y= . {Ä \(Y) otherwise. . . To prove that and Ã actually are the lub and glb for the lifted order, we need the following preliminary lemma. 170 GIACOBAZZI AND RANZATO

. Lemma 5.6. For all Y C, \( Y )=\(Y ).

Proof. The following equalities prove the claim:

. \ Y =\ y # Y { Y y { Y \ + \ \{ } \ \ + = _ { \ \ +=++ (by point (ii) in Section 2.2)

=\ $ y)#Y { y y \ { Y \ \{ } \ \ + = _ { \ \ \ ++=++ (by meet-uniformity of $

=\ \(y)#Y { Y y \ Y \ \{ } \ \ + = _ { \ +=++ (by point (ii) in Section2.2)

=\ y # Y { Y y Y \ \{ } \ \ + = _ { =++ =\ \ Y+. K . . Theorem 5.7. and Ã are the lub and glb in (C,\). . Proof. Let us first prove that is the lub. Consider any Y C. . (a) Let us show that if y # Y then y\ Y. . (a ) \( y)\( Y ): Immediate from Lemma 5.6. 1 . . (a ) \( Y )\( y) O y Y: Since, from the hypothesis and Lemma 5.6, 2 . we get \( y)=\( Y )=\( Y ), we also have that { ( Y )={ (\( Y ))= . \ \ {\(\( y))={\( y), and this implies y Y.

\ (b). Assume that there exists u # C such that \y # Y.y u. Then, we prove that Y\ u. . (b1) \( Y )\(u.): From the hypothesis follows that \(Y )\(u). Hence, by Lemma 5.6, \( Y )=\( Y )=\( \(Y ))\(\(u))=\(u). . . (b2) \(u)\( Y ) O Yu: By hypothesis and Lemma 5.6, \(u)=

\( Y ). First, we verify that {\( Y )u: in fact, {\( Y )={\(\( Y ))=

{\(\(u))={\(u)u. Second, if {\( Y )y then yu: as above, {\( Y )=

{\(u), and therefore, {\(u)y. Thus, \({\(u))=\(u)\( y). Since, by hypothesis, \(u)\( y) O yu, we get the desired yu. . Let us now prove that Ã is the glb. Consider any Y C.. We distinguish between the two mutually exclusive branches of the definition of Ã. UNIFORM CLOSURES 171

. (a) There exists x # Y such that Ã \(Y )=. \(x), and hence, Ã Y= Ã [y# Y | \( y)=\(x)]. Since \ is meet-uniform, \(Ã Y )=\(x)=Ã \(Y ). We will use this observation during the proof. . . (a ) \y # Y. Ã Y\ y: First, \(Ã (Y ))=\(x)\( y) holds. Second, \( y) . 1 . \(Ã Y ) O Ã Y y holds too, since the premise is equivalent to \( y)=\(x). . (a ) If there exists l # C such that \y # Y.l\ y then l\ Ã Y: first, 2. . \(l)\(Ã Y ), since \(Ã Y )=\(x), and, from the hypothesis, \(l)Ã \(Y )= . . \(x). Second, the implication \(Ã Y )\(l) O lÃ Y holds, since its premise implies \(x)=\(l), and, if y # Y is such that \( y)=\(x) then \( y)=\(l). By . exploiting the hypothesis l\ y, this implies l y, which in turn implies lÃ Y. . (b) Assume the other branch, i.e., \y # Y.Ã \(Y )<\( y). In this case, Ã Y=Ã\ (Y ). . . (b ) \y # Y. Ã Y\ y: First, \(Ã Y )=\(Ã \(Y ))=Ã \(Y )\( y). Second, 1 . . . the implication \( y)\(Ã Y ) O Ã Y y, i.e., \( y)=Ã \(Y ) O Ã Y y, trivially holds, since, by hypothesis, its premise is never satisfied. . (b ) If there exists l # C such that \y # Y.l\ y then l\ Ã Y: first, \(l) . 2 . \(Ã Y )=Ã \(Y ), since, by hypothesis, \y # Y.\(l)\( y). Second, \(Ã Y ) . \(l) O lÃ Y holds, since it is equivalent to \(l)=Ã \(Y ) O lÃ \(Y ), which is true, because l\(l). K . Note that the singleton [{\( Y )] has been added in the above definition of because if [y# Y | {\( Y )y] results to be empty then {\( Y ) is taken as lub, rather than <==. Also, as observed above in all generality,. note that. and = remain. . unchanged after the lifting of the ordering: in fact, C=Ã <= and Ã C= <==. As a consequence of Theorem 5.7, we get the following fact, which will be useful in the following sections. . Corollary 5.8. For any Y C, Ã \(Y )=Ã \(Y ). It is important to remark that meet-uniformity is the crucial property of the closure \ that allows us to prove Theorem 5.5. In fact, the following example shows that if the closure is not meet-uniform, then, in general, the lifted order does not give rise to a complete lattice.

Example 5.9. Consider the finite lattice (C,), depicted in Fig. 6, and consider the closure \ # uco(C) defined by $C)=[, c, d, =]. It is immediate to verify that \ is not meet-uniform: in fact, \(a)=\(b)=, but \(aÃ b)=\(=)==. In this case, the lack of meet-uniformity for \ implies that the lifted poset (C,$, depicted in Fig. 6, is not a lattice anymore, because, by definition of \, d\ a and c\ b.

There is a further remarkable consequence of lifting a complete order via a meet-uniform closure operator \. In fact, by this process, we upgrade the properties enjoyed by \ whenever considered w.r.t. the lifted complete order \: \ becomes a co-additive closure operator. 172 GIACOBAZZI AND RANZATO

FIG. 6. The lattice (C,) on the left, and the poset (C,\) on the right.

ca Theorem 5.10. If \ # uco*(C) then \ # uco (C\). Proof. By Proposition 5.3, \ still is a closure operator on (C,\). Let us show that. it is co-additive. By Corollary 5.8, it is enough to show that for any. Y C, \(Ã Y )=Ã \(Y ). We distinguish the two branches of the definition of Ã . . (i) If Ã Y=Ã. [y# Y | \( y)=\(x)] for a suitable x # Y such that \(x)= Ã \(Y ), then \(Ã Y )=\(x)=Ã \(Y ), because \ is meet-uniform (on C). . . (ii) Otherwise, Ã Y=Ã \(Y ), and hence, \(Ã Y )=\(Ã \(Y ))=Ã \(Y ). K

6. GENERALIZED ORDER-THEORETIC SEMANTICS

In this section, we show how to exploit the general order-theoretic results of the previous sections in order to define an order-theoretic semantics generalizing the model-theoretic logic program semantics proposed by Falaschi et al. [1993].

6.1. Interpretations as Models The s-semantics for logic programs has been defined by Falaschi et al. [1989] with the aim of providing a declarative semantic counterpart to the operational observable property given by computed answer substitutions, since this was not possible by means of the standard ground success-set semantics of van Emden and Kowalski [1976]. Let us introduce the following notation: 6 denotes the set of predicate symbols of the underlying first-order language L, and X denotes a sequence of distinct variables; moreover, if P is a program and G=b1 , ..., bn (n0) % is a goal, then we write G wÄP g iff there exists a SLD-refutation of G in P with computed answer substitution %. Then, the s-semantics S(P) Atom of a program P is defined as

S(P)= p(X ) % p # , % # Sub, p(X ) % . { } ` wÄ P g=

It turns out that this semantics is fully abstract with respect to the notion of computed answer substitution (cf. [Falaschi et al. 1989]). Let P1 and P2 be programs, and define P1 and P2 to be equivalent for the computed answer substitutions observable when, for any goal G and substitutions % and _, p(X ) wÄ% g iff P1 p(X ) wÄ_ g and G%tG_. Then, the full abstraction theorem states that P2 S(P1)=S(P2) if and only if P1 and P2 are equivalent in that sense. For all the UNIFORM CLOSURES 173 details, properties and consequences of the s-semantics the reader is referred to [Falaschi et al. 1989], since here we recalled its definition for illustrative purposes only. The s-semantics of a program is therefore defined as a subset of the nonground Herbrand base, namely it is an interpretation. Falaschi et al. [1993] gave a model- theoretic interpretation for sets of nonground atoms, with the obvious goal of making the s-semantics a model as well as any standard ground Herbrand model. Let us recall this notion. Given a standard ground Herbrand interpretation

I # ^(Atom<) and a definite clause c, the notion of truth of c in I is the standard logical one, i.e., I < c. On the other hand, given any nonground interpretation I # ^(Atom), from a model-theoretic viewpoint, the idea is that I is a denotation for the set of its ground instances gr(I). Accordingly, Falaschi et al. [1993] proposed the following approach: an interpretation I # ^(Atom)isamodel of a program P if all the clauses of P are true (in the standard logical sense) in gr(I). By this definition, any standard Herbrand model is also a model in the above sense, and therefore this implies that any program has a model. Moreover, it turns out that, for any program P, the s-semantics S(P) is a model of P, and for any ground

Herbrand interpretation I # ^(Atom<), this new notion of being a model is equivalent to the standard old one. It is well-known [van Emden and Kowalski 1976] that, for any program P, its set MP of standard Herbrand models is closed by set intersection, and therefore the least Herbrand model exists. Also, the ground Herbrand base Atom< is a model, i.e., Atom< # MP . This implies that MP is a Moore-family of ^(Atom<), i.e., MP can be thought of as a closure on ^(Atom<) such that for any I # ^(Atom<), I is a Herbrand model of P iff I is a fixpoint of MP . This observation was first reported by Lassez and Maher [1984]. As a side observation, we note that, in general, this closure operator is not meet-uniform. In fact, consider P=[pÂ q, q Â p], and

I=[p], J=[q] # ^(Atom<); it is clear, that MP(I)=MP(J)=[p, q], whilst

I & J=< # MP . Order-theoretic generalization. In our order-theoretic approach, the above notion of model is formalized naturally as follows. Recall that in the generalized hierarchy of Section 3, the set of ground Herbrand interpretations corresponds to the complete lattice (g(\(C)), ), where any generalized interpretation x # C is ``grounded'' to g(\(x)). Thus, given any program P,2 its set of ground Herbrand models is generalized by a closure operator mP # uco(g(\(C))). Therefore, an interpretation x # C is a (generalized) model of P whenever g(\(x)) is a fixpoint of mP , i.e., when g(\(x)) is a generalized Herbrand model of P. The set GP of (generalized) models of P is then defined as: GP=[x # C | mP(g(\(x)))=g(\(x))].

6.2. Generalizing the Model-Theoretic Semantics

In contrast to standard Herbrand models, Falaschi et al. [1993] observe, by a simple counterexample, that the model intersection property does not hold any

2 It is worth noting that in our order-theoretic reconstruction, we do not need at all to refer to `real' logic programs. Thus, we can think of the set of all programs as a mere set of objects acting as indices. 174 GIACOBAZZI AND RANZATO longer for the notion of nonground model recalled in Section 6.1. This implies that the least model of a program with respect to set inclusion, in general, does not exist. Of course, in our order-theoretic construction, this counterexample shows that, in general, the set of generalized models GP is not closed by glb (of C). Falaschi et al. [1993] point out that this phenomenon ``can easily be explained by noting that set inclusion does not adequately reflect the property of nonground atoms of being representatives of all their ground instances.'' Then, they propose a new partial order on ^(Atom), as given in the following definition, which allows one to restore the desired model intersection property.

Definition 6.1. ([Falaschi et al. 1993, Definition 4.1]). Let I, J # ^(Atom). Then,

(i) I &| J \A # I._B # J.BPA; (ii) I \ J (I &| J) 6 (J &| I O I J).

As Falaschi et al. note, clearly, I &| J iff WI X WJ X, and therefore

I \ J (WI X WJ X) 6 (WJ X WI X O I J). (V)

By this formulation, this definition gets a clearer meaning. In fact, it says that in order to compare two interpretations I and J we have to look at their respective abstractions in ^a(Atom): I is smaller than J if WI X/WJ X, and, whenever WI X= WJ X, the original subset-ordering, I J, is considered. Falaschi et al. [1993] present a number of important consequences of Definition 6.1. They show that (^(Atom), \) is a complete lattice, and provide an explicit characterization for the corresponding lub. Further, they prove that for any program P, the glb w.r.t. \ of its set of nonground models is still a model, thus obtaining the \-least nonground model for P, which is also shown to coincide with the standard least Herbrand model. It is important to remark that in order to prove all these results, specific logic programming concepts and tools are heavily used, like clauses, substitutions, instances, and Herbrand models. In contrast, our generalized approach involves pure order-theoretic notions only and no specific logic programming concept.

Order-theoretic generalization. By the characterization (V) above, it is immediate to observe that the ordering given by Definition 6.1 is an instance of the definition of lifted partial order induced by the meet-uniform closure W } X on the domain of nonground interpretations ^(Atom). By the results of Section 4, in our generalized hierarchy, the hypothesis that the first step of abstraction of C is given by a meet- uniform closure \, just allows us to lift the complete order of C via \, then obtaining the lifted complete lattice (C,\). Hence, this is precisely the order- theoretic generalization of the corresponding result of Falaschi et al. [1993, Theorem 4.9]. Also, we noted that, in general, the glb (in C) of a set of models of

P, i.e., of a subset of GP=[x # C | mP(g(\(x)))=g(\(x))], is not a model of P. Instead, the next theorem shows that the meet-uniformity of the closure \ is, UNIFORM CLOSURES 175 once again, the crucial property that permits to recover the generalized model- intersection property w.r.t. the lifted complete order \.

\ Theorem 6.2. If \ # uco*(C) then GP is a Moore-family of (C, ).

Proof. Let [xi]i # I GP . The following equalities hold:

. mP g \ Ä xi =(by Theorem 5.10) \ \ \i # I +++ . mP g Ä \(xi) =(by Corollary 5.8) \ \i # I ++

mP g Ä \(xi) =(by -co-additivity of g) \ \i # I ++

mP Ä g(\(xi)) =(since \i # I.xi # GP) \i # I +

mP Ä mP(g(\(xi))) =(since mP # uco(g(\(C))) and by (i) in Section 2.2) \i # I +

Ä mP(g(\(xi)))=(since \i # I.xi # GP) i # I

Ä g(\(xi))=(by -co-additivity of g) i # I

g Ä \(xi) =(by Corollary 5.8) \i # I + . g Ä \(xi) =(by Theorem 5.10) \i # I + . g \ Ä xi . \ \i # I ++ . This shows that Ãi # I xi # GP , and therefore closes the proof. K

\ As a consequence, for any program P, GP is a complete lattice w.r.t. this \ generalizes [Falaschi. et al. 1993, Corollary 4.11]and the -least generalized model is therefore Ã GP . The overall scenario is summarized by Fig. 7. By assuming further hypotheses, we are also able to give the generalization in our framework of the fact proved by Falaschi et al. [1993, Theorem 4.15] that the \ - least model coincides with the -least Herbrand model. Recall that in our generalized approach, g(\(C)) stands for the subset of C of ground Herbrand interpretations, while, for any program P, mP # uco((g(\(C)), )) is the closure representing the Herbrand models of P. Thus, the set HP of generalized Herbrand models of a program P is just given by HP=[z # g(\(C)) | mP(z)=z]. Hence, Ã. HP is the order-theoretic counterpart of the -least Herbrand model, and Ã GP=Ã HP states the equality of the two generalized least models. Analogously to the logic programming side, it is straightforward to note that, for any program P, 176 GIACOBAZZI AND RANZATO

FIG. 7. The overall generalized order-theoretic approach by grounding its set of generalized models, one gets its set of generalized Herbrand models, i.e., HP=[g(\(x)) # g(\(C)) | x # GP]. The further hypotheses required by the next theorem correspond, on the logic programming side, to the observations that the grounding operator gr: â(Atom) Ä â(Atom) is indeed a (co-additive) lower closure operator, and that for any I # ^(Atom) and J # â(Atom), whenever J indeed is ground (i.e., gr(J)=J) and I J, then I is ground as well.

Theorem 6.3. If g # lco(\(C)), and, for any x # C and. y # \(C), xg( y)=y implies x # \(C) and g(x)=x, then, for any program P, Ã GP=Ã HP .

Proof. First, note that HP= g(\(GP)). Also, the following equalities hold:

Ä HP=(since HP=g(\(GP)))

g(\(G ))= by -co-additivity of g Ä P \ Ä +

g \(G ) =(by Corollary 5.8) \Ä P + . g \(G ) =(by Theorem 5.10) \Ä P + . g \ G =(by Theorem 6.2) (1) \ \Ä P++ . m g \ G .(2) P \ \ \Ä P+++ . Moreover, by the equality (1), g(\(Ã HP))=g(\(g(\(Ã GP)))), and, from g(\(C)) \(C) and by idempotency of g and \, we get

. g \ H = g \ G =(by (1))= H .(3) \ \Ä P++ \ \Ä P++ Ä P UNIFORM CLOSURES 177

. \ (Ã GP Ã HP) The following equalities show that Ã HP # GP :

m g \ H =(by (1)) P \ \ \Ä P+++ . m g \ g \ G =(by g($C)) \(C) P \ \ \ \ \Ä P+++++ and indempotency of g and $ . m g \ G =(by (2)) P \ \ \Ä P+++

Ä HP=(by (3))

g \ H . \ \Ä P++ . \ \ (Ã HP Ã GP) We show that if x # GP then Ã HP x. . . (i) From x # G , we get Ã G \ x, from which, \(Ã G )\(x), and, in turn, . P P P . g(\(Ã GP))g(\(x)). By the equality (1) above, Ã HP= g(\(Ã GP)), and since

\(Ã HP)=Ã HP , we get, by reductivity of g, \(Ã HP)g(\(x))\(x), as desired.

(ii) We show that \(x)=\(Ã HP) O Ã HPx. From \(x)=\(Ã HP)=

Ã HP , we get g(\(x))=g(Ã HP)=(since g is a lower closure)=Ã HP=\(x). Thus, x\(x)=g(\(x)), and by the hypotheses of the theorem, we obtain g(x)=x. Hence, \(x)=\(g(x))=(since g(\(C)) \(C))=g(x), from which, x=\(x)=

Ã HP . K It is worth noting that it is possible to slightly generalize our hierarchy, and in particular Theorem 6.2. In fact, after the first step of abstraction given by a meet- uniform closure \ # uco*(C ), we can consider an arbitrary finite number of further abstractions given by co-additive functions. This is possible since the composition of co-additive functions is clearly still co-additive. Also, note that by considering the mapping g as the identity, we can deal only with the unique abstraction given by \.

7. UNIFORM CLOSURES AND ABSTRACT DOMAIN REFINEMENTS

In this section, we show how the novel order-theoretic notion of uniformity finds relevant applications also in abstract interpretation theory, specifically in the area of refinement operators of abstract domains (as far as the precision is concerned).

7.1. Abstract Domain Refinements In abstract interpretation, a domain refinement is intended as an operator which takes as input a given abstract domain (that is, a closure) and returns as output an enhanced domain, i.e., a more precise domain, by systematically adding new information. A formal treatment of abstract domain refinements has been recently 178 GIACOBAZZI AND RANZATO put forward by File et al. [1996] and successively sharpened by Giacobazzi and Ranzato [1997], generalizing most of the well-known domain refinements, like reduced product and disjunctive completion [Cousot and Cousot 1979]. In the following, we assume that (C,) is the complete lattice that plays the role of the concrete domain of reference. As recalled in Section 2.3, the lattice of abstract interpretations of a given concrete domain C is isomorphic to the complete lattice uco(C) of all upper closure operators on C. As recalled in the Introduction, an abstract domain refinement is defined as an operator R: uco(C) Ä uco(C) on the lattice uco(C) of abstractions of C, which is monotone and reductive (i.e., R(A) =C A). Idempotency is an additional reasonable requirement, ensuring that the refinement of an abstract domain is performed all at once. Thus, a refinement is a lower closure operator on the complete lattice uco(C), i.e., any mapping in lco(uco(C)), and therefore, some properties of domain refinements can be derived by duality from those of abstract domains, which are upper closure operators. Among them, (i) the image of R coincides with the set of refined abstract domains: R(uco(C))=[A # uco(C)|R(A)=A], and (ii) the set (lco(uco(C)),=C ) of all the refinements is a complete lattice (by a slight abuse of notation, we always use the symbol =C for any order between closures), where R1 =C R2 iff for any A # uco(C), R1(A) =C uco(C) R2(A) iff the set of domains refined by R1 is contained in the set of those refined by R2 . Thus, analogously to the case of abstract domains, the complete ordering =C between refinements can be interpreted as a relation of precision, where R1 is more precise than R2 iff R1 =C R2 . For more details and properties on abstract domain refinements, we refer to [Giacobazzi and Ranzato 1997].

Example 7.1. Reduced product3 is the simplest and probably most familiar example of abstract domain refinement. It has been successfully applied in many works on program analysis, for instance in [Codish et al. 1995; Granger 1988; Muthukumar and Hermenegildo 1991; Sundararajan and Conery 1992]. As recalled in Section 2.3, the reduced product corresponds to the glb in the complete lattice of (upper) closure operators. The terminology reduced product of abstract domains stems from the fact that it can be represented by means of the standard cartesian product, where equivalent tuples of objects are identified, i.e., reduced (more details are given, e.g., in [Cousot and Cousot 1992a]). For example, consider the abstract domains A& and A+ in Fig. 8, which are abstractions of the complete lattice (^(Z), ) (with the most obvious meaning of their elements), and are typically used for sign analysis of integer variables. It is easily seen that, up to isomorphic representation of domain's objects, the reduced product A& @ A+ is the abstract domain Sign of Fig. 1. Observe that Sign has two new elements with respect to A& and A+, i.e., 0 and <, which are obtained by combining, by set intersection in ^(Z), the corresponding sets of integers, respectively, &0 with 0+, and & with +. Here, reduction is necessary only for identifying distinct pairs of elements denoting the empty set of integers: the pairs (&, +), (&0, +), and (&, 0+) all denote <. By fixing one of the arguments of reduced product, one

3 For simplicity of notation, we consider the reduced product as a binary operator. UNIFORM CLOSURES 179

FIG. 8. The abstract domains A& and A+. obviously gets a refinement. Let C be the concrete domain and A # uco(C) be any fixed abstract domain. Then, the reduced product refinement with respect to A is the lower closure operator R@A=*X.(A @ X )#lco(uco(C)).

7.2. Inverting Refinements

File et al. [1996] motivated and introduced the notion of inverse of an abstract domain refinement. For a given refinement R # lco(uco(C)) and an abstract domain A # uco(C), the optimal basis of A for R, when it exists, is a domain D # uco(C) such that R(D)=R(A), and for any B # uco(C), R(B)=R(A) implies B =C D. Clearly, if an optimal basis D exists, then this domain is unique. Thus, we will refer to the existence of the optimal basis. In other terms, whenever the optimal basis of A for R exists, this is the most abstract domain having the same refinement (for R) as A. Given a class K uco(C) of abstract domains, if any A # K admits the optimal basis, the mapping R& : K Ä uco(C) providing the optimal basis is called the inverse of R on K. Thus, the inverse R& does exist on K iff there exists the optimal basis for R of any domain in K. The intuition is that the refined domain R(A) can be systematically reconstructed by applying the refinement R to the more abstract, and therefore simpler, domain R&(A). Therefore, roughly speaking, R& is the operator providing the simplest abstract domains of input for the refinement R. The notion of abstract domain refinement can be slightly generalized, by allowing the possibility of having as domain of definition of a refinement any subset Q of uco(C) (see [Giacobazzi and Ranzato 1997] for all the details). In this case, the inverse of a refinement R: Q Ä uco(C) could exist for some subset K of Q and it should take values over Q, i.e., R& : K Ä Q. An example of this kind of partial refinement is provided by the negative completion refinement (cf. File et al. 1996; Giacobazzi and Ranzato 1997]). Let the concrete domain C be a complete Boolean a algebra. The negative completion Rc is then defined on the sublattice uco (C)of uco(C) of additive closures (also called disjunctive abstract domains), and it upgrades a given abstract domain by adding denotations for the lattice-theoretic complements of its elements. It is easy to verify that if A # ucoa(C) then a cA=[ca # C | a # A] # uco (C). Thus, Rc lifts a given disjunctive abstract domain A to the most abstract domain containing both A and cA, i.e., a Rc : uco (C) Ä uco(C) maps A to the reduced product Rc(A)=A @ cA. a a Although, given A # uco (C), Rc(A), in general, does not belong to uco (C) (cf.

[Giacobazzi and Ranzato 1997]), it turns out that Rc is monotone, reductive and 180 GIACOBAZZI AND RANZATO

{0 FIG. 9. The abstract domains Sign , A1 and A2 . idempotent, and therefore is a refinement in the generalized framework of [Giacobazzi and Ranzato 1997]. In general, optimal bases do not always exist, and the negative completion provides a meaningful example of a refinement which is not invertible on any really significant class of abstract domains, as first noted by File {0 et al. [1996]. Let us consider the disjunctive abstract domains Sign , A1 and A2 depicted in Fig. 9, for sign analysis of integer variables, with their obvious meanings as additive closures on (^(Z), ) (which obviously is a complete Boolean {0 algebra). It turns out that the the optimal basis of Sign for Rc does not exist. {0 {0 In fact, Rc(A1)=Rc(A2)=R(Sign )=Sign , while for the least common abstraction A1 ? A2=[Z,0,<], Rc(A1 ? A2)=[Z,0,{0,<], and hence this {0 implies that Sign does not admit the optimal basis for Rc . Since in this example the concrete domain is a complete Boolean algebra, and Sign{0 enjoys all most important lattice-theoretic properties, this means that Rc is not invertible on any significant class of abstract domains.

7.3. Invertibility as Join-Uniformity As the attentive reader might have already guessed, it turns out that join-uniformity captures exactly the concept of invertible domain refinement. Recalling by duality from Section 4 the notion of K-join-uniformity, one can state the following immediate result, whose prime importance stems from the striking connection between two notions that came out from very different questions. Theorem 7.2. Given K uco(C), a refinement R: uco(C) Ä uco(C) is invertible on K iff R is join-uniform on K. Moreover, given a refinement R: uco(C) Ä uco(C) which is invertible on K, the canonical representative of Definition 4.4 of an abstract domain A # K for R is

{R(A)= [D # uco(C)|R(D)=R(A)], and therefore it is exactly the optimal & basis of A, i.e., {R(A)=R (A). In other words, the canonical representative operator {R is the inverse of R. Hence, following the notation of Section 4, we have that lco*K(uco(C)) denotes the set of abstract domain refinements invertible on K uco(C). By duality from the observations and results of Section 4, we can then derive the following properties of invertible refinements: (i) Invertible refinements on some K give rise to a complete lattice (lco*K(uco(C)),=C ), which, in particular, is a complete join subsemilattice, i.e., a UNIFORM CLOSURES 181 dual-Moore-family, of lco(uco(C)), with top and bottom elements *X.X (the identity refinement) and *X.C (the full refinement), respectively; (ii) The lattice of invertible refinements is not dual-atomic; (iii) Invertibility is not preserved by composition.

By property (i), the space of refinements that are invertible on some fixed K is itself the set of fixpoints of a lower closure operator *#lco(lco(uco(C))), defined as follows: for any R # lco(uco(C)), *(R)= [I # lco(uco(C)) | I =C R, I is invertible on K]. This operator transforms any, possibly noninvertible on K, refinement R # lco(uco(C)), into the weakest refinement (with respect to the order =C between refinements explained in Section 7.1) which is both invertible on K and more precise than R. Let us now see an important example of an invertible abstract domain refinement.

Example 7.3. Disjunctive completion was originally introduced by Cousot and Cousot [1979] to prove that merge-over-all-paths data-flow analyses can be always expressed in least fixpoint form. It has been then considered in Nielson's [1984] approach to abstract interpretation using domain theory, and applied in program analysis, e.g., in Cousot and Cousot's [1994] comportment analysis, in Deutsch's [1992] alias analysis, in Jensen's [1997] disjunctive strictness logic, and in analysis of logic program groundness-dependencies [File and Ranzato 1998]. The disjunctive completion enhances an abstract domain as little as possible so that it becomes disjunctive, i.e., an additive closure. It should be evident that disjunctive abstract domains are practically very useful, since their lub's are as precise as possible. Following the general approach of Giacobazzi and Ranzato

[1998], given a concrete domain C, the disjunctive completion R6 : uco(C) Ä a uco(C) is defined as R6(A)= [D # uco (C)|D =C A], for any A # uco(C). It is immediate to observe that R6 actually is a lower closure, and hence correctly defines an abstract domain refinement. Whenever the concrete domain is completely distributive, the disjunctive completion of an abstract domain can be characterized by various equivalent powerset constructions [Cousot and Cousot 1994; File and Ranzato 1998]. As a simple example, if Sign is the abstraction of (^(Z), ) of {0 Fig. 1, its disjunctive completion R_(Sign) is the domain Sign considered above and depicted in Fig. 9, which contains the concrete lub (i.e., set union) of any subset of Sign, and in particular it contains a new object {0=& 0, denoting nonzero integers. The inverse of disjunctive completion should therefore be an operation which returns (when possible) the most abstract domain whose disjunctive completion is a given disjunctive abstract domain. Giacobazzi and Ranzato [1998] introduced the notion of least disjunctive basis for an abstract domain, that turns out to be an instance of the concept of optimal basis, and hence allows us to define the inverse of the disjunctive completion refinement. Giacobazzi and Ranzato [1998, Theorem 4.10 and 4.11] give two results of existence of the least disjunctive basis, which can be read in the terminology of this paper as follows:

(i) If C is a dual-algebraic completely distributive lattice then R6 is invertible on all uco(C); 182 GIACOBAZZI AND RANZATO

(ii) If C is distributive then R6 is invertible on [A # uco(C)||A|<+0].

& It is not hard to verify that the optimal basis R_ (Sign)ofSign is the abstract domain A\0 of Fig. 1. From what has been discussed above, it would be natural to think that the inverse of an abstract domain refinement can be formalized as an operator of simplification, somehow dual to a refinement. Intuitively, an abstract domain simplification should be an operator that for a given domain of input, returns a more abstract domain, that is, it should be an extensive operator on the lattice of abstract interpretations. Moreover, as well as for refinements, a simplification operator should monotonically transform abstract domains, and perform simplifications all at once. In this sense, while refinements are lower closures, their inverses should generally be upper closures. Instead, we will see that when a given refinement R # lco(uco(C)), possibly under some hypotheses on C, is invertible on all uco(C), the inverse operator R& is not necessarily an upper closure. More in general, when R is invertible on K uco(C), the inverse R& : K Ä uco(C) is not necessarily monotone. In fact, we can only prove the following general result for join-uniform functions, where f @ is just the dual canonical representative operator of Definition 4.4. Proposition 7.4. Let L be a complete lattice and f: L Ä L be monotone and join- uniform on K L. Then, f @ : K Ä L defined as f @(x)= [y# L | f( y)= f(x)]is extensive and idempotent (i.e., if f @(x)#K then f @( f @(x))= f @(x)). Proof. Extensivity is obvious by definition. Moreover, by join-uniformity, we have that for any x # K such that f @(x)#K, f @( f @(x))= [y# L | f( y)= f( f @(x))]= [y# L | f( y)= f(x)]= f @(x), proving idempotency. K In general, monotonicity of an inverse operator may fail. This is the case of the disjunctive completion, as shown by the following example taken from [Giacobazzi and Ranzato 1998, Example 5.3]. Example 7.5. Consider the abstract domains Sign, A+ and A\, all already & + + & \0 introduced above. Observe that R_ (A )=A , while R_ (Sign)=A . This shows that the inverse operator of the disjunctive completion refinement is neither monotone nor antimonotone, since A+ and A\0 are incomparable abstractions of ^(Z). By Proposition 7.4, given a lower closure ' # lco*(L) which is join-uniform (on all L), and its associated generalized inverse '@ : L Ä L, we have that, for any x # L, '('@(x))='(x)x and '@('(x))='@(x)x, but the pair ' and '@ does not constitute in general a Galois connection, due to the lack of monotonicity of '@. Clearly, if '@ is monotone, then it is the right-adjoint of '. In this sense, our notion of inverting a refinement does not correspond to the inversion as right-adjoint of the refinement. On the other hand, it is well known how pervasive the notion of adjunction is in theoretical computer science, and very often the existence of an adjunction is considered as a weak form of inversion (see, e.g., the paradigmatic case of the weak inverse in Hoare's logic, cf. [Hoare et al. 1987]). Thus, in the following, we will focus on the inversion of a refinement in the sense of adjunctions. UNIFORM CLOSURES 183

Proposition 7.6. Let L be a complete lattice and f: L Ä L be a monotone join- uniform operator (where f @ is its generalized inverse). The following statements are equivalent:

(i) f is additive; (ii) f @ is monotone; (iii) f @= f r.

Proof. We prove the following implications.

(i)O (ii) Let x, y # L such that x y. Then, by monotonicity of f, f(x) f( y). Moreover, if for some z # L, f(z)= f(x) then, by additivity, f(z6 y)= f(z) 6 f( y)= f( y). Hence, we have that f @(x)= [z # L | f(z)= f(x)] f @( y)= [u # L | f(u)= f( y)]. (ii)O (iii) Both f and f @ are monotone, and, for any x # L, f( f @(x))x and f @( f(x))x. Then, f and f @ constitute a Galois connection on L, and therefore, f @ is the right-adjoint of f. (iii) O (i) Because in any adjunction the right-adjoint of a function exists if and only if this function is additive. K

The following result shows that, whenever a lower closure admits the right- adjoint, this is always an upper closure, and, therefore, if an abstract domain refinement admits the right-adjoint, this is a simplification operator. Conversely, by duality, the left-adjoint of a simplification operator, when it exists, is always a refinement.

Proposition 7.7. Let L be a complete lattice.

(i) If \ # lco(L) admits the right-adjoint \r, then \r # uco(L). (ii) If \ # uco(L) admits the left-adjoint \l, then \l # lco(L).

Proof. We only prove (i), because (ii) follows by duality. As recalled in Section 2.3, in any adjunction on a complete lattice, the left-adjoint is additive and the right-adjoint is co-additive. Thus, let \ # lco(L) be an additive lower closure that forms an adjunction on L with \r. We prove that \r is an upper closure. Monotonicity follows by adjunction. Let x # L. Extensivity follows because from \(x)x we get \r(x)x. Let us now turn to idempotency. By (i) in Section 2.3, we get \r(\r(x))\r(x). Thus, let us prove that \r(\r(x))\r(x). By definition, r r r r \ (\ (x))=L [y# L | \( y)\ (x)]. Let z # [y# L | \( y)\ (x)]. Then, by monotonicity, idempotency, and additivity of \, we obtain

\(z)\ \ [y# L | \( y)x]+

= [\( y)#L | \( y)x]

x. 184 GIACOBAZZI AND RANZATO

Hence, \(z)x. Thus, we get z\r(\(z))\r(x), and from z\r(x) we therefore obtain the idempotency. K

Thus, by the above result, given an abstract domain refinement R # lco(uco(C)), requiring that R admits an inverse on all uco(C), which in addition is a simplification is equivalent to requiring that R is additive. However, additivity for R is a quite stronger requirement than join-uniformity, that corresponds to the invertibility of R on all the space uco(C). For instance, reduced product and disjunctive completion are relevant examples of refinements, which are not additive but still join-uniform (i.e., invertible) under certain nonrestrictive hypotheses on the concrete domain. The reduced product refinement is a paradigmatic case. It is easy to observe that the reduced product is additive if and only if uco(C) is completely meet-distributive, i.e., a complete Heyting algebra. This latter condition is equivalent to the weaker (finite) distributivity of uco(C) (cf. [Morgado 1962]), and this holds if and only if the concrete domain C is a complete chain (cf. [Dwinger 1954]). Obviously, being a complete chain for the concrete domain is not a reasonable hypothesis in semantics and program analysis. On the other hand, the general nonadditivity of the disjunctive completion refinement follows from Example 7.5 and Proposition 7.6.

7.4. Reordering Abstract Domains

We have seen that an invertible abstract domain refinement and its inverse does not constitute, in general, an adjunction. This asymmetry can be overcome by considering the lifted complete order induced on the lattice of abstractions by an invertible (i.e., join-uniform) refinement. In fact, dually to what we have seen in logic program semantics, join-uniformity becomes additivity with respect to the lifted complete order. In this way, for a refinement R which, possibly under some conditions on the concrete domain C, is invertible on all uco(C), by Proposition 7.6, we have that Rr=R&, and, in particular, the inverse R& becomes a simplification operator on the lifted order. This is stated by the following consequence of Theorem 5.10, Proposition 7.6, and 7.7.

Corollary 7.8. Let C be a complete lattice, and let R # lco*(uco(C)) be a & R R refinement which is invertible on uco(C). Then,(R, uco(C)=C , uco(C)=C , R ) is an adjunction.

Although being not additive, both the reduced product refinement of Example 7.1 and the disjunctive completion refinement of Example 7.3 are join-uniform under certain weak hypotheses. The following examples show the meaning of the lifted order on abstract domains in these two cases. First, let us recall that if L is a meet semilattice with bottom, then the pseudocomplement of x # L, if it exists, is the (unique) element x*#L such that x 7 x*== and \y # L.(x 7 y==) O ( yx*). In a complete lattice L, if the pseudocomplement x* exists then x*= [y# L | x7 y==]. If every x # L has the pseudocomplement, L is called pseudocomplemented (for more details see, e.g., [Birkhoff 1967]). UNIFORM CLOSURES 185

Example 7.9. Giacobazzi et al. [1996] proved that if C is a meet-continuous lattice,4 then for each continuous closure X # uco(C), AX=[Y # uco(C)| X =C Y] uco(C) is a pseudocomplemented lattice. In particular, uco(C) itself, which coincides with AC, is pseudocomplemented. By the equivalence between closure operators and abstract domains, this result provided the basis for defining the operation of domain complementation in abstract interpretation [Cortesi et al. 1997]. Complementation is an operation which starting from any two abstract domains A, B # uco(C) such that A =C B (i.e., B # AA), gives as result the most abstract domain AtB whose reduced product with B is A, i.e., (AtB) @ B=A. Hence, the pseudocomplement of B in AA, when it exists, is denoted by AtB and called complement of B in A (see [Cortesi et al. 1997] for more details). Although a complement AtB in uco(C) is defined for any meet-continuous lattice C, continuous closure A and arbitrary B, in order to get that complementation is the inverse of the reduced product refinement on all the space uco(C), we assume the more restrictive hypothesis that the concrete domain C satisfies the ACC. This condition in fact ensures that AtB exists for any pair A, B # uco(C) such that A =C B, because C and any closure on C are, respectively, meet- continuous and continuous. Notice that C may well be thought of as a meaningful abstraction of the actual concrete domain, and in this case, the ACC is not a severe requirement for an abstract domain used in program analysis. It is easy to observe that complementation is the inverse of the reduced product refinement. In fact, for any A # uco(C), the refinement R@A=*X.(A @ X )#lco(uco(C)) is join-uniform on all uco(C), because, for any X # uco(C), A @ X satisfies the ACC, and therefore

A(A@X ) is pseudocomplemented. Moreover, it turns out that the inverse of R@A & is R@A=*X.(A @ X )tA, since, for any X # uco(C), [Y # uco(C)|A @ Y=A @ X] is just the complement of A in A @ X. Thus, by Corollary 7.8, reduced product and complementation form an adjunction relatively to the lifted complete order on & abstract domains, and R@A is a simplification operator (namely, an upper closure) (R ) in the reordered complete lattice of abstract domains (uco(C), =C @A ). The lifted order between abstract domains induced by some R@A allows one to & give a correct interpretation to its inverse R@A . Consider for instance the abstract + domains A of Fig. 8, A2 of Fig. 9, already considered above, and the abstract & domain D of Fig. 10. It turns out that R@A+ is not monotone with respect to the standard ordering =C which relates abstract domains in terms of their relative + & + precision. In fact, we have that D =C A2 =C A , while R@A+(D)=DtA = & + [Z,&0] is not comparable with R@A+(A2)=A2tA =[Z,0], with respect to =C. + & (R@A ) Instead, R@A+ becomes monotone with respect to the lifted order =C , and & & therefore the optimal bases R@A+(D) and R@A+(A2) are comparable: + & (R@A ) & R@A+(D) =C R@A+(A2). This relationship reflects the relative power of the & & domain R@A+(D)=[Z,&0] with respect to R@A+(A2)=[Z,0]: when composed with A+, the first resulting in a more precise domain than the latter.

4 A complete lattice C is meet-continuous if for any chain Y C and x # C, x 7 ( Y )=y # Y (x 7 y) (cf. [Gierz et al. 1980]). 186 GIACOBAZZI AND RANZATO

FIG. 10. The abstract domain D

As observed in the example above, the lifted complete order on abstract domains reflects precisely the relative precision of abstract domains with respect to a given invertible refinement operator: A is more precise than B in the lifted order for an invertible refinement R,ifR(A) is more precise than R(B) in the standard sense, and, whenever they are the same (i.e., R(A)=R(B)), then A is more precise than B in the standard sense.

Example 7.10. Analogously to the above example of reduced product and complementation, the disjunctive completion refinement and its inverse, the least disjunctive basis (cf. Example 7.3), form an adjunction with respect to the lifted order. Thus, because when C is a dual-algebraic completely distributive lattice, R6 is invertible on all uco(C) (cf. Example 7.3), we get the adjunction & & R R (R6 , uco(C)=C 6 , uco(C)=C 6 , R6). Here again, the inverse R6 can be interpreted R as a simplification operator with respect to =C 6 . Now, for the abstract domains + & R _ & + Sign and A considered in Example 7.5, it turns out that R_ (Sign) =C R_ (A ): & in fact, when R_ (Sign) is refined by the disjunctive completion, it provides a more & + concrete domain than R_ (A ) does.

8. CONCLUSION

In this work, we have introduced the order-theoretic notion of uniform closure operator on complete lattices and shown that this is the right key property for generalizing the standard hierarchy of declarative semantics for logic programming and to develop a general theory for domain refinement and simplification in abstract interpretation. These results have shown an unexpected relationship between two different fields of application of abstract interpretation. On the one hand, meet-uniformity and abstract interpretation provide the right framework for reordering semantic interpretations of logic programs, keeping into account the relative precision of the models of a program specified at different levels of abstraction in the hierarchy of semantics. On the other hand, the dual property of join- uniformity applied to abstract domain refinements yields the precise characterization of the concept of invertibility for a refinement, and moreover it has been proved that refinements and their inverses constitute an adjunction relatively to a reordered space of abstract domains. Both reordered spaces are based on the same lifted partial order induced by uniformity of the involved closures. The notion of uniformity might be fruitfully exploited in other areas of application of abstract interpretation, such as in hierarchies of inductive definitions for specifying (nonnecessarily logic) program semantics and type systems. Inductive UNIFORM CLOSURES 187 definitions are fundamental in mathematical logic and theoretical computer science to provide rule-based presentations of inductively defined sets, or equivalently in the definition of sets generated by closure conditions. In semantics, this is the case for the set of execution traces of a transition system, or more in general, in rule- based specification methods for semantics, e.g., in Plotkin's [1981] structural operational semantics SOS. As shown by Cousot and Cousot [1992b] and Cousot [1997b], hierarchies of semantics and type systems can be specified as inductive definitions and related with each other by abstract interpretation. We believe that the order-theoretic reconstruction of the model-theoretic semantics of logic programming presented in the paper can be further generalized by considering, instead of logic programs, generic inductive definitions. The relationship between logic programs and inductive definitions is well known: while logic programs are finite sets of untyped Horn-clauses, inductive definitions may be given as possibly infinite sets of possibly typed clauses or rules. An account of this analogy can be found in [Bol and Groote 1996]. As observed in Section 6.1, we put no constraint on the structure of programs. In particular, they can be possibly infinite sets of possibly typed clauses, i.e., arbitrary sets of rules. The essential point in our construction is that the space of all models of a program P is a closure mP , and this is just the case of models of inductive definitions (cf. [Aczel 1977]). Thus, in view of our approach, the model-theoretic reconstruction of the semantics of logic programs of Falaschi et al. [1993] might be fully generalized to hierarchies of inductive definitions, and therefore applied to more general rule-based presentations of semantics or type systems related by abstract interpretation.

ACKNOWLEGMENTS

This work was begun in early 1995 while the authors were visiting the LIX, Laboratoire d'Informa- tique, E cole Polytechnique, in Paris. They thank the LIX, and in particular Radhia Cousot, for the kind hospitality. The work of Roberto Giacobazzi has been partly supported by the EEC Human Capital and Mobility individual Grant ``Semantic Definitions, Abstract Interpretation and Constraint Reasoning'', No. ERBCHBICT930822.

Received February 10, 1997; final manuscript received January 22, 1998

REFERENCES

Aczel, P. (1977), An introduction to inductive definitions, in ``Handbook of Mathematical Logic,'' (J. Barwise, Ed.), pp. 739782, North-Holland, Amsterdam. Adaricheva, K., and Gorbunov, V. (1990), Equational closure operator and forbidden semidistributive lattices, Siberian Math. J. 30(6), 831849. Amato, G., and Levi, G. (1997), Properties of the lattice of observables in logic programming, in ``Proceedings of the Italian-Portuguese-Spanish Joint Conference on Declarative Programming, (APPIA-GULP-PRODE '97),'' pp. 175187. Apt, K. R. (1990), Introduction to logic programming, in ``Handbook of Theoretical Computer Science, Vol. B: Formal Models and Semantics'' (J. van Leeuwen, Ed.), pp. 495574, Elsevier, Amsterdam, The MIT Press, Cambridge, Mass. 188 GIACOBAZZI AND RANZATO

Barbuti, R., Giacobazzi, R., and Levi, G. (1993), A general framework for semantics-based bottom-up abstract interpretation of logic programs, ACM Trans. Program. Lang. Syst. 15(1), 133181. Birkhoff, G. (1967), ``Lattice Theory,'' AMS Colloquium Publications, Vol. XXV, 3rd ed., AMS, Providence, R.I. Bol, R., and Groote, J. F. (1996), The meaning of negative premises in transition system specification, J. ACM 43(5), 863914. Bossi, A., and Cocco, N. (1993), Basic transformation operations for logic programs which preserve computed answer substitutions, J. Logic Program. 16, 4787. Bossi, A., Gabbrielli, M., Levi, G., and Martelli, M. (1994), The s-semantics approach: theory and applications, J. Logic Program. 1920, 149197. Bossi, A., Gabbrielli, M., Levi, G., and Meo, M. (1994), A compositional semantics for logic programs, Theor. Comput. Sci. 122(12), 347. Codish, M., Dams, D., and Yardeni, E. (1994), Bottom-up abstract interpretation of logic programs, Theor. Comput. Sci. 124(1), 93126. Codish, M., Mulkers, A., Bruynooghe, M., Garc@a de la Banda, M., and Hermenegildo, M. (1995), Improving abstract interpretations by combining domains, ACM Trans. Program. Lang. Syst. 17(1), 2844. Comini, M., and Levi, G. (1994), An algebraic theory of observables, in ``Proceedings of the 1994 International Logic Programming Symposium (ILPS '94)'' (M. Bruynooghe, Ed.), pp. 172186, MIT Press, Cambridge, MA. Comini, M., Levi, G., and Meo, M. (1995), Compositionality of SLD-derivations and their abstractions, in ``Proceedings of the 1995 International Symposium on Logic Programming (ILPS '95)'' (J. Lloyd, Ed.), MIT Press, Cambridge, MA. Cortesi, A., File, G., Giacobazzi, R., Palamidessi, C., and Ranzato, F. (1997), Complementation in abstract interpretation, ACM Trans. Program. Lang. Syst. 19(1), 747. Cortesi, A., Le Charlier, B., and Van Hentenryck, P. (1994), Combinations of abstract domains for logic programming, in ``Conference Record of the 21st ACM Symposium on Principles of Programming Languages (POPL '94),'' pp. 227239, ACM Press, New York. Cousot, P. (1996), Abstract interpretation, ACM Comp. Surv. 28(2), 324328. Cousot, P. (1997a), Constructive design of a hierarchy of semantics of a transition system by abstract interpretation, in ``Proceedings of the 13th International Symposium on Mathematical Foundations of Programming Semantics (MFPS '97)'' (S. Brookes, and M. Mislove, Eds.), Electronic Notes in Theoretical Computer Science, Vol. 6, Elsevier, Amsterdam. Cousot, P. (1997b), Types as abstract interpretations, in ``Conference Record of the 24th ACM Symposium on Principles of Programming Languages (POPL '97),'' pp. 316331, ACM Press, New York. Cousot, P., and Cousot, R. (1977), Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints, in ``Conference Record of the 4th ACM Sym- posium on Principles of Programming Languages (POPL '77),'' pp. 238252, ACM Press, New York. Cousot, P., and Cousot, R. (1979), Systematic design of program analysis frameworks, in ``Conference Record of the 6th ACM Symposium on Principles of Programming Languages (POPL '79),'' pp. 269282, ACM Press, New York. Cousot, P., and Cousot, R. (1992a), Abstract interpretation and application to logic programs, J. Logic Program. 13(23), 103179. Cousot, P., and Cousot, R. (1992b), Inductive definitions, semantics and abstract interpretation, in ``Conference Record of the 19th ACM Symposium on Principles of Programming Languages (POPL '92),'' pp. 8394, ACM Press, New York. Cousot, P., and Cousot, R. (1994), Higher-order abstract interpretation (and application to comportment analysis generalizing strictness, termination, projection and per analysis of functional languages), in ``Proceedings of the IEEE International Conference on Computer Languages (ICCL '94),'' pp. 95112, IEEE Computer Society Press, Los Alamitos, CA. UNIFORM CLOSURES 189

Cousot, P., and Cousot, R. (1995), Compositional and inductive semantic definitions in fixpoint, equational, constraint, closure-condition, rule-based and game-theoretic form, in ``Proceedings of the 7th International Conference on Computer Aided Verification (CAV '95)'' (P. Wolper, Ed.), Lecture Notes in Computer Science, Vol. 939, pp. 293308, Springer-Verlag, Berlin. Deutsch, A. (1992), `Òperational models of programming languages and representations of relations on regular languages with application to the static determination of dynamic aliasing properties of data,'' Ph.D. thesis, University of Paris VI, Paris, France. Dwinger, P. (1954), On the closure operators of a complete lattice, Indagat. Math. 16, 560563. van Emden, M. H., and Kowalski, R. A. (1976), The semantics of predicate logic as a programming language, J. ACM 23(4), 733742. Fages, F., and Gori, R. (1996), A hierarchy of semantics for normal constraint logic programs, in ``Proceedings of the 5th International Conference on Algebraic and Logic Programming (ALP '96)'' (M. Hanus and M. Rodr@guez-Artalejo, Eds.), Lecture Notes in Computer Science, Vol. 1139, pp. 7791, Springer-Verlag, Berlin. Falaschi, M., Levi, G., Martelli, M., and Palamidessi, C. (1989), Declarative modeling of the operational behavior of logic languages, Theor. Comput. Sci. 69(3), 289318. Falaschi, M., Levi, G., Martelli, M., and Palamidessi, C. (1993), A model-theoretic reconstruction of the operational semantics of logic programs, Inf. Comput. 103(1), 86113. File, G., Giacobazzi, R., and Ranzato, F. (1996), A unifying view of abstract domain design, ACM Com- put. Surv. 28(2), 333336. File, G., and Ranzato, F. (1998), The powerset operator on abstract interpretations, Theor. Comput. Sci, to appear. Giacobazzi, R. (1996), `Òptimal'' collecting semantics for analysis in a hierarchy of logic program semantics, in ``Proceedings of the 13th International Symposium on Theoretical Aspects of Computer Science (STACS '96)'' (C. Puech, Ed.), Lecture Notes in Computer Science, Vol. 1046, pp. 503514, Springer-Verlag, Berlin. Giacobazzi, R., Palamidessi, C., and Ranzato, F. (1996), Weak relative pseudo-complements of closure operators, Algebra Universalis 36(3), 405412. Giacobazzi, R., and Ranzato, F. (1995), Functional dependencies and Moore-set completions of abstract interpretations and semantics, in ``Proceedings of the 1995 International Symposium on Logic Programming (ILPS '95)'' (J. Lloyd, Ed.), pp. 321335, MIT Press, Cambridge, MA. Giacobazzi, R., and Ranzato, F. (1996), Complementing logic program semantics, in ``Proceedings of the 5th International Conference on Algebraic and Logic Programming (ALP '96)'' (M. Hanus and M. Rodr@guez-Artalejo, Eds.), Lecture Notes in Computer Science, Vol. 1139, pp. 238253, Springer- Verlag, Berlin. Giacobazzi, R., and Ranzato, F. (1997), Refining and compressing abstract domains, in ``Proceedings of the 24th International Colloquium on Automata, Languages and Programming (ICALP '97)'' (P. Degano, R. Gorrieri, and A. Marchetti-Spaccamela, Eds.), Lecture Notes in Computer Science, Vol. 1256, pp. 771781, Springer-Verlag, Berlin. Giacobazzi, R., and Ranzato, F. (1998), Optimal domains for disjunctive abstract interpretation, Sci. Comput. Program 32(13), 177210. Gierz, G., Hofmann, K. H., Keimel, K., Lawson, J. D., Mislove, M., and Scott, D. S. (1980), `À Compendium of Continuous Lattices,'' Springer-Verlag, Berlin. Granger, P. (1988), Combinations of semantic analyses, in ``Proceedings of the 2nd French-Soviet Workshop on Methods of Compilation and Program Construction, Informatika '88'' (P. Deransart, Ed.), pp. 7188, INRIA, Rocquencourt, France. Hoare, C. A. R., Hayes, I. J., Jifeng, H., Morgan, C. C., Roscoe, A. W., Sanders, J. W., Sorensen, I. H., Spivey, J. M., and Sufrin, B. A. (1987), Laws of programming, Comm. ACM 30(8), 672 686. Jensen, T. (1997), Disjunctive program analysis for algebraic data types, ACM Trans. Program. Lang. Syst. 19(5), 751803. 190 GIACOBAZZI AND RANZATO

Lassez, J., and Maher, M. (1984), Closures and fairness in the semantics of programming logic, Theor. Comput. Sci. 29, 167184. Morgado, J. (1960), Some results on the closure operators of partially ordered sets, Portugal. Math. 19(2), 101139. Morgado, J. (1962), On complete congruences of complete lattices, Portugal. Math. 21(1), 1125. Muthukumar, K., and Hermenegildo, M. (1991), Combined determination of sharing and freeness of program variables through abstract interpretation, in ``Proceedings of the 8th International Conference on Logic Programming (ICLP '91)'' (K. Furukawa, Ed.), pp. 4963, MIT Press, Cambridge, MA. Nielson, F. (1984), Abstract Interpretation using Domain Theory, Ph.D. thesis CST-31Â84, University of Edinburgh, Edinburgh, Scotland. Plotkin, G. (1981), A structural approach to operational semantics, Tech. Rep. DAIMI FN-19, Computer Science Dept., Aarhus University, Aarhus, Denmark. Sundararajan, R., and Conery, J. (1992), An abstract interpretation scheme for groundness, freeness, and sharing analysis of logic programs, in ``Proceedings of the 12th Conference on Foundations of Software Technology and Theoretical Computer Science (FST6TCS '92)'' (R. Shyamasundar, Ed.), Lecture Notes in Computer Science, Vol. 652, pp. 203216, Springer-Verlag, Berlin. Ward, M. (1942), The closure operators of a lattice, Ann. Math. 43(2), 191196. Yi, K., and Harrison, W. L. (1993), Automatic generation and management of interprocedural program analyses, in ``Conference Record of the 20th ACM Symposium on Principles of Programming Languages (POPL '93),'' pp. 246259, ACM Press, New York.